Reporting flow for security issues
Paul Spooren
mail at aparcar.org
Sat Apr 25 23:36:05 PDT 2026
Hi,
I’m the one monitoring and responding to contact at openwrt.org <mailto:contact at openwrt.org> and the number of security reports is increasing (like with so many other projects). The repots are great (thanks!) to plainly AI slob. Since I’m not familiar with all OpenWrt components, I forward reports to maintainers and ask them to reproduce findings prior to escalating or filing CVEs.
This works, however I’m wondering if using GitHub security reports would be a better entrance and an email to contact at o.o <mailto:contact at o.o> only an “escalation”, if maintainers do not respond? Right now all OpenWrt projects are mirrored to GitHub, so discussion and CVE requesting could be handled there, without a ping-pong.
For the intermediate time, I’d subscribe to all security alerts of all projects and assign OpenWrt maintainers the duty step by step (if they haven’t setup notifications on their own yet).
Thoughts?
Best,
Paul
More information about the openwrt-adm
mailing list